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[57] ABSTRACT 

An apparatus and method for dynamic encryption of infor- 
mation inc 4pding data, voice, and graphics, consisting of a 
random access memory containing encryption and decryp- 
tion programs and the information to be encrypted and 
decrypted, an encryption processor executing the encryption 
and decryption programs, the encryption and decryption 
programs being a code set whose members are distinct 
encryption/decryption codes executed serially by the 
encryption processor to encrypt and decrypt the information, 
and also being optionally repetitively executed, and a data 
set in the random access memory specifying the order and 
execution and number of repetitions of each member of the 
code set 

44 Claims, 8 Drawing Sheets 
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1. 1NIALIZE: 

Upon power-up. PROM or 
EPROM firmware loads into 
local RAN. 

2. BROADCAST A PING: 
Host sends signal out 
over network line using 

a common, uncoded protocol. 




1. FIRST CODED PROTOCOL: 
Host selects the first Protocol 
encryption scheme from the 
main system's code library 
and Identifies it to the 
target. 




6. VERIFY AND TEST: 
If Target does not have a 
common initial coded protocol, 
system can be set to either - 

A) Provide one (non-secure) 

B) Notify 'CNE' to courrier 
start-up sets. Then, return 
to step #4. 

If Target successfully matches 
startup, then system creates a 
new data set to replace the one 
that the two cards Just used. 
It sends this data set. which 
is encrypted by the present 
protocol . 



8. PROCEED WITH NORMAL DATA TRAFFIC 
Having received confirmation, normal 
data traffic resumes. 

9. CHANGE TO NEW CODED PROTOCOL 
Periodically, or at request of any 
apparatus, system creates a new data 
set. sending it to target card using 
present code. 



FIG. 6 A 



U.S. Patent 



A pr. 21, 1998 



Sheet 7 of 8 



5,742,686 



SECOND ENCRYPTION APPARATUS 
(Assured to also be initialized.) 




3. ANSWER - HANDSHAKE 1 
Target recognizes call pattern 
and returns answer j 




5. LOAD SAME PROTOCOL 
Target searches for same protocol 
in its main code library and 
loads it. Target then answers 
back success or failure. 



7. STORE NEW DATA SET 
Target confirms and stores the 
new data set (with alternates) 
among the other recipes used for 
different apparatus adjacent In 
the same line. 



10. RECEIVE AND CONFIRM 
Target loads the new data set 
RAM and confirms/ tests with 
calling node. Flow chart now 
loops back to STEP #8. 
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DEVICE AND METHOD FOR DYNAMIC 
ENCRYPTION 

BACKGROUND OF THE INVENTION 

Numerous techniques for Kimting access to computer 
systems and software and for enabling secure cominnnica- 
tions of data are practiced. In multiuser systems, it is typical 
for each user to have an identification code and/or a pass- 
word which the user must enter before gaining access to the 
system. Security of the system can be compromised when an 
authorized user reveals his or her identification code and/or 
password to maiTthorizert persons or the access code is 
discovered by a systematic attack such as used by hackers. 

Further techniques for securing computers, software and 
communicatioiis include the use of seemingly random gen- 
erated passwords affording the appropriate access. In some 
systems, these passwords are generated in response to an 
inquiry or stimulus from the computer, software or commu- 
nications source to which access is desired. For these types 
of systems, there are a number of approaches used by 
hackers and those intent on stealing valuable information in 
order to break into the system. 

Despite the existence of techniques for minting access to 
computer systems, mere has not been an inexpensive appa- 
ratus for encrypting and decrypting information flowing 
between personal computers (PCs) in such a way that it is 
imrx)ssible for the encryption scheme to be "hacked." No 
code is unbreakable; and given enough time, it is possible 
for a hacker to break into any computer system that uses a 
single or even a small number of encryption schemes. 

There is, however, the kind of encryption scheme which 
is described as 'fully sufficient," It generates the kind of 
encryption where either the message content or the hacker 
trying to crack it will die of old age before his computer 
finally is able to find the correct codes. There are a number 
of encryption codes available. Each code alone might not be 
effective enough; but in combination, they become formi- 
dable. 

The problem with such an approach is the "time barrier." 
As a hypothetical example, if it takes five cuinulative 
minutes for a 100 megahertz processor to encrypt (or 
decrypt) a particular message, it wchiM take a very longtime 
for a hacker to try a very large number (perhaps one billion) 
permutations before he has any realistic probability of 
getting the correct key. But the hacker might still be able to 
break the code. If instead, a one hour encryption process is 
used, me probability of a hacker breaking the code is almost 
mX However, such a lengthy encryption and decryption 
process would put an enormous burden on the legitimate 
user's PC On an older non-multitasking PC all activity 
would be frozen until encryption was complete. Even on 
multitasking systems, it would severely drag performance 
and probably cause lockups. 

A second problem with traditional encryption schemes is 
lack of true randomness. Technically speaking, computers 
do not generate truly "random" numbers, but instead they 
generate "pseudo-random" numbers. A standard program 
routine which generates random numbers uses a "seed."' 
Give it the same seed, and it will generate the same output 
Thus, traditional encryption schemes which depend upon 
computer generation of random numbers are subject to 
attack. 

There is a need for an apparatus for dynamic encryption 
of information including voice, data, and graphics. Such an 
encrypting system must be: very simple and easy to use, 
even for nc«-computer literates; impossible to decode; have 
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a low burden even on non-nmlt^asking computers; have 
both manual and fully automatic modes; provide documen- 
tation to show the user how safe the system is; and even- 
tually provide features for inter-processing with clipboards, 
5 ward processors, modern/network software, and function as 
a multi-user encryption server. 

SUMMARY OF THE INVENTION 

An appar a t u s and method for dynamic encryption of 
10 information including A***, voice, and graphics, consisting 
of a random access memory containing encryption and 
decryption programs and the information to be encrypted 
and decrypted, an encryption processor executing the 
encryption and decryption programs, the encryption and 
15 decryption programs being a code set whose members are 
distinct encryption/decryption codes executed serially by the 
encryption processor to encrypt and decrypt the information, 
and also being optionally r epe titiv ely executed, and a data 
set in the random access memory specifying the order and 
20 execution and number of repetitions of each member of the 
code set 

A principal object and advantage of the encryption appa- 
ratus is that it provides powerful parallel processing capa- 

^ bOity to offload the burden of encryption from the host or 
personal computer. 

A second object and advantage of the encryption appara- 
tus and method is that it allows the creation of custom 
encryption codes on a per user basis instead of just selecting 

30 a code from a limited number. Each copy of the software will 
randomize differently to produce a unique data set specify- 
ing the members, order of execution, and repetition count of 
a library of distinct encryption codes. There is no way of 
knowing in advance what such a "recipe" will be. Even if a 

35 hacker knows every encryption code and password that the 
user could use, the hacker has no way of knowing which 
encryption codes will be randomly selected or the order or 
repetition count in which they will be executed. Only 
another authorized user who has been provided with a copy 

40 of the "recipe** has this information- 

Another object and advantage of the encryption apparatus 
and method is that it allows a given user to customize the 
"redpe" manually rather than letting the computer do it. 
Thus, the user can customize the "recipe 7 ' to obtain the 

45 extent of protection desired versus the amount of processor 
time needed to do the encryption. For example, if the user 
desired to encrypt a telephone conversation, he could not 
afford to have the encryption "recipe" take several minutes 
to encrypt each word. On the other hand, for an extremely 

50 sensitive data file, a "recipe'' could be selected that would 
take, say, an hour to encrypt the file; and the file would be 
essentially impossible to break into. The prograniming can 
provide a TEST" button which will tell the user, for 
example, "It will take a 100 megahertz processor 9 years, 6 

55 months, 4 days, 2 hours, and S3 seconds of continuous 
processing before it will have a 3% chance of decoding this 
text." Hie Test menu can also allow the user to change 
default values to see, for example, how long it would take a 
500 megahertz processor to have a 25% chance The Test 

£0 feature that hackers will already know all encryp- 

tion codes but do not know the unique "recrpe T \ 

Another object and advantage of the encryption apparatus 
and method is that it allows two computers to dynamically 
modify the "redpe** periodically without any human inter- 

65 venrion. Thus, even if a hacker were able to obtain a copy 
of the recipe, a few minutes later a completely different 
recipe would be generated; and the hacker's knowledge 
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would be useless. The "recipe" could change every minute. Another object and advantage of the present invention is 

The first apparatus sends the new "recipe** to the next that it may have an interface to a mass storage device, such 

apparatus using the present "redpe." At the beginning of the as a reel-to-red tape drive, for staring encrypted and unen- 

next minute, both apparatus begin transceiving with each crypted Mormarion. 

other using the new "recipe. "The old recipes are erased after 5 Another object and advantage of the present invention is 
they are used. Once the transmission is initiated between the that it may reside either on a standard expansion card for a - 
apparatus, no human being knows what "recrpes** the two personal computer or on the personal computer's mother- 
apparatus are currently using. board. 

Another object and advantage of the apparatus and Another object and advantage of the present invention is 

method is that it allows network addresses as well as data to 10 that it provides a common encryption scheme for personal 

be encrypted. On the Internet, for example, each data computers, ceUnlar phones, car alarms, and other devices 

package has a component destination address. Hackers often which may be controlled from a central computer and allows 

try to strip this address to find their target' The apparatus all such devices to be linked on a network. 

would function by having each node in the Internet encrypt 

the destination address with a ccA (or "recipe*^ which only 15 BRIEF DESCRIPTION OF THE DRAWINGS 

the next server knows how to unscramble. Rather than using mQ schematic of a specific inachine or apparatus 

a system which, for example, uses a fixed Emernet protocol, em fc>dying the present invention. 

the entire framed package is encrypted into a dynamic _/ Tt . ^ , , . . 

~V , . . *TT~t JZJL^Za .^j tXwoti,* FIG. 2 is a schematic showing one embodiment of the 

protocol, one designed by one apparatus and agreed to by me * ~ . 

""^ v 20 data set and code set of the present invention. 

next. 

Another object and advantage of the encryption ar^aratus FIG. 3 is a flowdbart f or accmpin^program executing in 

is that it provides for separ^ the apparatus of FIG. 1 in "batch mode, 

for "batch** encryption and "real-time** encryption so that FIG. 4 is a flowchart far a cojnputer program executing in 

both types of encryption may be simultaneousry performed. the apparatus of FIG. 1 in "real-time'' mode. 

Potentially, the "batch' 7 encryption utilizes a more compK- 25 FIG. 5 is a flowchart fox a computer program executing in 

cared "recipe** than the ^real-time** encryption. the apparatus of FIG. 1 in "real-time*' mode and including 

Another object and advantage of the encryption apparatus the ability to dynamically change the encryption data set 

is that it has a communications port for voice, data, and periodically. 

graphics. In this day and age, there is a shortage of ports as FIGS. 6A and 6B are detailed flowcharts showing the 

well as expansion slots (or, more specifically, interrupts for interaction between two machines of the present invention to 

those slots) on PCs. Office workers want to be sendtagafax, change the encryption data set peri o di c al ly , 

talking on the phone, linking up to special rrK>dem-reached piQ 7 ^ a schematic of the CSMA/CD protocol frames 

servers, and wait for phone calls on morning lines. Hie exchanged between two inachines where the network 

encryption apparatus cannot only encrypt high level mes- ^ addresses are encrypted. 

sages but it can also have the modern capability of after- 

wards dialing up the receiver (repeatedly if necessary), DETAILED DESCRIPTION OF THE 

sending the ericrypted message, and then letting the user PREFERRED EMBODIMENTS 

know that the message made it or did not make it and why. A specific machine or apparatus embc<iymg the present 
All this could be done without rxrttienecking the PC's ^ invention is shown in FIG. 1 by reference numeral 10. 

iKHmalinodemline^For^ample^ ^ a ^ iatns 10 comprises a random-access memory 

owner could send lumdreds of faxes or (RAM) Ucomaimiig encryption and decryption programs 

chises all across the country m two step: encrypt the ^ ^ MorrnatioTto be enoypted and toiypted. The 

message and send to ^ group nm^Tte a^kis can a ^ iztm 10 ^ c^^es a encryption processor 14 

V*™*^^*^ I*™* number cr Intoet nmm^r ^ mc CX3 £££ ^ decryption r£grams contained 

from the owners directory and begin connecting with each . ^ rXm 12. 

one. The owner gets it started, goes home, and the apparatus „ A _^ „ r ^ 

^' * " . _L5 11 *4 , « . u The apoaratus It may have a counter 15 for counting the 

will keep dialing and transmitting all through the nigftt iucnH«iau»i j & 

& : & . ^ . number of complete encryptions as will be more completely 

The prt^raimmng can also proirn^ me iiser for what level discussed betow 

of protection they want For example, a stock exchange . , \ A ..r... i.i v •.-*.„«^.k^ 

mes^age^righTS out of date afterone day, but a federal 50 The apparatus 10 rneierably has anirrferface 16 toa host 

witness rZL file might need a century of protection, ^inputer 18 as wfll be more complete disoissed bdow. 

Another object and advantage of the encryption ar^aratus ^ apparatus 10 may have a second encryr^onr^cessor 

is that it presides an interfaced a local area network (LAN) ™ executing in paraUelwim the first encryption processor 
such as Ethernet™ or Token Ring™. This brings the benefits 55 M and coiitroBing the first encryrmc* isc<«ssor 14. 

of dynamic encryption described above to LANs. The apparatus 10 preferably has a co mmnnic ations pert 

Another object and advantage of the encryption apparatus & for voice and/or data. The communions port 22 

is that it rnayraovide an interface to a cellular telephone former comprises a telephone line interface 24 and a handset 

allowing voice conversations to be encrypted uniquely. interface 26. Attached to the cornnmnicati^is port 22 may 

Another object and advantage of the present invention is 60 P"*™"/ te » an^di^tai converter 28. 

mat it niay provide an mteiface to a car alarm sys^ The apparatus 10 may also include an interface 36 to a 

remote alarm transmitter allowing transmissions between local aTGa network. 

the two to be encrypted uniquely. The apparatus 10 may also include an interface 32 to a 

Another object and advantage of the present invention is cellular telephone and an interface 34 to a car alarm system 
that it may have a relay switch, controlled by the encryption 65 and a remote car alarm transmitter, 

processor, for enabling and disabling the flow of information The apparatus 10 may also include a relay switch 36 for 

between the commimications port and the host computer enabling and disabling the flow of information between the 
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ccannnimcations port 22 and the host computer interface 16. SCRAMBLR-267 1,123 times in succession. SGRAMBLEr 

The first encryption processor 14 preferably controls the 267 could, for example, take characters 1 through 10, 

relay switch 36. reverse their order, and men swap them for characters 41 

The apparatus 10 may also include an interface 38 to a through 50. 

mass storage dm'ff for tran spiring information between the 5 The data set 70 next specifies that everything done since 

apparatus 10 and a mass storage device. the beginning of encryption be REPEATed 11,000 times. 

The apparatus 10 may also include a non- volatile memory Finally, a user-created encrypting code called 

40 containing start-up programs. MYCODB-9 is executed 125,000 times. 

The encryption and decryption programs executing in the 1Q FIG. 3 is a flowchart of one of the encryption and 

apparatus 10 are shown in FIGS. 2-5. As shown in FIG. X decryption programs executing in the first encryption pro- 

the encryption and decryption programs further comprise a cesser 14. In mis embodiment, the apparatus 10 is being 

code set 60 whose members 60a, 606, 60c, etc are distinct used in "batch" mode to encrypt some information residing 

encryption/decryption codes which are executed serially by on the host computer 18. 

the first encryption processor 14 to encrypt and decrypt the J5 At step 100, the host computer or first location generates 

information. Each member 60a, 60b, 60c, etc may option- me data set 70, either randomly or under user control as 

ally be repetitively executed. discussed above* At step HO, the host computer 18 loads the 

The order of execution and number of times each member data set 70 into the encryption apparatus 10 by means of the 

60a, 6W>, 60c is executed is specified in a data set 70 in the host computer interface 16. At step 120, the encryption 

RAM 12. 20 apparatus 10 parses the data set 70. For example, in the 

The data set 70 iiuyr^erably be randomly generated. In example shown in FIG. 2 such parsing ^ would I consist jrf 

this way, there is no way for an unauthorized user to looking for the next successive comma in the data set 70 

determine the encryption "recipe" (Lc, the contents of data However, the exact rules for parsing the data set 70 wfll 

set 70). One way to do this, as is known in the art is to start depend* on the character which is used in separating the 
with a seed such as a random nuntaAtoer^^ 

may be an identification signature which is unique to each _ At step 130, the host computer 18 loads the information 

medium containing the encryption and decryption programs, to be encrypted into the encryption apparatus 10. At step 

For example, a diskette ID may serve the dual purpose of 140, the encryption apparatus 10 executes, as by the first 

identifying the inedium and providing the seed. The seed encryption processor 14, each of the members 60a, 606, 60c, 

may in addition contain the date and time of day at which 30 etc of the code set 60 in the order and number of repetitions 

encryption begins. Alternatively, or in addition, me seed may specified in the data set 70. This results in me information 

be based on the counter 15 and include the count of the becoming encrypted. 

number of completed encryptions. Alternatively, the seed At step 150, the encryption apparatus 10 notifies the host 

may comprise the length of the last portion of information, computer 18, for example by an interrupt, that encryption is 

such as a word, that was encrypted. 35 complete. At step 160, the encrypted information is moved 

Instead of the data set 70 being randomly generated, it to the host computer 18. 

may be created by the user of the apparatus 10. In such a FIG. 4 is a flow chart for another set of encryption and 

case, the apparatus 10 further preferably comprises a host decryption programs. In the Figure, two of the apparatus 10 

computer 18 and host computer interface 16 and software are connected together over a network. Here, "network" 

executing on the host computer 18 to create the data set 70. 40 refers to any method of connecting two or more of the 

Preferably, the apparatus 10 will also include user interface apparatus 10 together. Examples would be a local area 

software adapted to allow the user to specify the contents of network such as Ethernet 11 * or Token Ring™ or a wide-area 

the data set 70 to the software which creates the data set 70. network such as the Internet FIG. 4 shows encryption and 

For example, the Microsoft Windows™ operating system decryption in "real-time*' mode, ie^ as the two apparatus 10 

may be used as the user interface software, 45 "talk" to each other. 

The software and user interface software may include a Steps 100-140 are the same as described above. 

TEST* function that statistically determines the probability At step 105, the first host computer or first location 

of deciphering the "reape" after a certain period. transmits the data set 70 and perhaps also the code set 60 to 

FIG. 2 shows one example of the data set 70. Here the data ^ the second host computer or second location. 'Transmit** 

set 70 contains a series of terms separated by commas, but means any method of delivering the data set 70 and perhaps 

any separation may be used. Each term specifies the code set 60, for example, by naafl or by transmission over 

one member of the code set 60. As shown in the Figure, the a local area network or a wide-area network. For example, 

data set 70 also has an optional execution count in paren- the data set 70 and perhaps the code set 60 could be 

theses after each of the terms. 55 transmitted over the ccanmnmcations port 22 or over the 

The data set 70 shown in FIG. 2 specifies that the network interface 30. At step 115, the second host computer 

information to be encrypted is first run through an encrypt- loads the data set 70 into the second encryption apparatus, 

ing code called DOMINO-5 30 times in succession. A At step 125, the second encryption apparatus parses the data 

domino code is dynamic Every character has a value. The set 70 as described above. 

algorithm takes each character to be encoded and shifts the go Following step 140, the first encryption apparatus trans- 
value according to the value of the letter(s) that came before mits'the encrypted information to the second eiicryption 
it Previous word size can also influence the offset Thus, the apparatus at step 145, and the second encryption apparatus 
first "e w in the same message might be encoded as an receives the transmitted encrypted info rm a tion , 
upper-case "A." The next V in the same message might be Step 147 is the same as step 140, except that it is executed 
encoded as the number "1." 65 in the second encryption apparatus to decrypt the t ran s mitte d 
The Hat* set 70 next specifies that the information to be information. That is, the data set 70 is traversed in reverse 
encrypted is next run through an encrypting code called order. 



5,742,686 

7 8 

Steps 150 and 160 are the same as described above, information, die telephone line inte rf ace 24 may be analog 

except that they are executed in the second apparatus and (e.g^ a modem) or digital (eg.. Integrated Services Digital 

second host computer. Network, ISDN). In the case of an analog interface, the 

The "real-time" programs of FIG. 4 may be executed in analog/digital converter 28 may be used to convert an analog 

the second encryption processor while the "batch" programs 5 signal from the telephone line interface to digital informa- 

cf FIG. 3 are executed in the first eiicryption processor. This tion. Voice "real-time" encryption may be performed by 

provides for the ability to do "batch" encryption and "real- taking an analog signal from the telephone handset int erface 

time" encryption simultaneously. 26, digitizing it by the analog/digital converter 28, encrypt 

FIG. 5 is a flowchart of the encryption and decryption jng it. and sending it out over the telephone line interface 24. 

programs executing in the apparatus W and including the 10 The comntmicatioiis port 22 may also have the ability to 

fmther ability for the apparatus 10 to dynamicaUy change send and receive facsimile (fax) messages, 

ftr At* <** 7ft pwindiratly and tn mnrnmnirate this change Theapparatus 10 may optionally include arelay swxtch36 

to other of the apparatus 10. for enabling and disabling me flow of information between 

Steps 100-140, 105-125, and 145-160 are the same as , c the comrnunicarions port 22 and me ho^computcr interface 

discussed above. 16. The first encryption processor 14 preferably controls the 

„ , A . . . . relay switch 36. The relay switch 36 may be used to isolate 

At step 14^ the apparatus 10 mate a deos^ on wtether or *^vall up** the host computer after an extremely-sensitive 

ii is tune to change the data setJO. This couldbe done, to ^ ^ appaataa 10( decrypted, and 

example, by comparing a real-trme dock to a pmletcnnined ^^^tehcrtcimipa^.ThcT^swiuhMlbn 

Itrme.ffrtisnottm^todiam^&ed^set 70,the „ dixODDOCts ^ cranmunicaQons port. It would then be 

TT** .T 1 ^ gOC T?^£ f ,?J*^f impossible for a backet to enter thTapparatus 10 ox host 
the data set 70. the apparatus 10 changes the content of the 18 ^ me ^ s^reseL In another 

date set 70 at step ^ "Tta imght cons^for^ample of ap ^ ) a network „ ^ wall up all me 

I ^ mg ■« JS. c£r£ini on the network if a security program Wed 

which specifies a different user-created code. At step 148, . ZTTTZ ~ ta i«aw«» k*L 

. T\ • ^_ . A ^_ , 25 intruding activity across a telephone line. 

the changed data set 70 is transmitted to fee second encryp- & ' *. ^ 0 

tion apparatos as was described above at step 165. The ^ apparatus 10 may also irK*ude an interface 38 to a 

secooTencryption apparatus then parses the changed data ™* s device for transf emng iiif ormation between the 

set 70 at step 125 and prepares Jo receive the next set of apparatus 10 and the mass storage device. The^ storage 

encryr^Morrr^ M *™f* ^l*™**??** *J™^ ^ 

me c^ed data set 70. Also at step 14*^^ 30 mation flowing through me apparatus 10, in either encrypted 

returns to step 120 to parse the changed data set 70. or unencrypted form An example of such a mass storage 

^ ^ ♦ . ^ . . device would be a reel-u>reel tape dove. 

FIG. 6 specifies in more detail how the two apparatus 1* . ^f. ... , - 

exchan^ ^Tchanged data set 70. At step 2, me first The apparatus 10 may preferably include a non-volatile 

apparatus (the "host") broadcasts a "ping" signal over me 35 monory 40 cc*t^ 

network to the target apparatus using a connnon, uncoded me a PP aratus lf 18 V™*** on - 

protocoL At step 3, the target apparatus recognizes the call The apparatus 10 may preferably reside on a standard 

pattern and returns an answer. At step 4, the "hosT selects expansion caidfrc a jjerson^ 

the first encryption scheme (Leu data set 70 and code set 60) higher levels of encryption wfll bog down or lock up most 

and identifies it to the target At step 5, the target searches ^ PCs. By passing the information to be encrypted to the card 

its libraries for me same eiKiyrjtion scheme and loads it The along with the encryption codes and passwords, the card will 

target then answers back success or failure. At step 6, the then perform CPU-breaking tasks while the user's PC goes 

"host" receives the target's answer, ff the target does not on sur^orting spreadsheets, word processors, etc Having 

have a common encryption scheme, the "host" can either the apparatus 10 on an expansion card woiMktxpmeimtial 

transmit the encryption scheme to the target or notify a 45 cost of iirn^ementation down. Alternatively, the apparatus 

commmucations network engineer (CNE) to courier a copy 10 could be bmlt into the nK>mexboard of a personal com- 

of the encryption scheme to the target If the target success- pater to provide greater throughput 

fully matches the encryption scheme, the Tiosf creates a If sufficient rriniarurization can be done, the apparatus 10 

new data set 70 and transmits the new data set 70 to the may be bmlt into other devices that would benefit from 

target encrypted under the present data set At step 7. the ^ dynamic encryption. For example, the apparatus 10 could be 

target stores the new data set 70, confirms rece^ to the host, built into a cellular telephone via interface 32 to allow 

pffp»« ttw data gf* 70 L and rpg nmftg mrnmnnipMii nn wrth flm dynamic encryption of voice. As another example, the 

host under the new data set 70 rules (step 8). At step 9, the apparatus 10 could be built into both a car alarm and the 

host may change the data set 70 and send it to the target remote alarm transmitter via interface 34, so that the arming 

using the present data set 70, and at step 10 the target 55 and disarming codes would be dyiiarmcally encrypted, 

receives the new data set 70, cormrrns receipt to the host, and Finally, the encryption and decryption programs may be 

returns to step 8. centrally maintain ed on a host computer 18 and distributed 

FIG. 7 shows that not only end-user data but the network to all of the above devices so that PCs, cell phones, car 

addresses of each of the apparatus 10 connected in a network alarm^ and other devices may all be encrypted by a common 

may be encrypted and decrypted under any of the program- 60 scheme and finked over a network, 

ming discussed above. In this way, it is irrrpossible for a The present invention may be embodied in other specific 

hacker to "strip off" the network addresses as a first step in fesnrewimout departing! 

breaking into one of the host computers, because the encryp- thereof; and it is, meref ore, desired that the present embodi- 

tion of the network addresses is constantly changing. men! be considered in all respects as fllristrative and not 

t>» rftmwinitiratiftng p™* 22 may he nsed for transmitting 65 restrictive, reference being made to the appended claims 

voice, data, or graphics, and the information transmitted rather man to the foregoing description to indicate the scope 

may be unencrypted or encrypted. For the transmission of of the invention. 
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What is claimed is: 

L An apparatus for dynamic encryption of infonnatkm 
including data, voice, and graphics, comprising: 

a random-access memory containing more than one dis- 
tinct encryption and decryption programs and the infer- s 
mation to be encrypted and decrypted, 

a first encryption processor executing said encryption and 
decryption programs, 

wherein said encryption and decryption programs further 
comprise a code set, the members of said code set being io 
executed serially by said first encryption processor, 
each member partially encrypting the information, each 
member of said code set being optionally repetitively 
executed, and 

a data set in said random access memory specifying the u 
order of execution of said members of said code set and 
the nnmber of times each such member is executed, the 
contents of said data set changing automatically on a 
periodic basis. 

2. The apparatus of claim 1, wherein said data set is 
randomly generated based on a seed. 

3. The apparatus of claim 2, wherein said seed is an 
identification signature unique to each mfidhnn containing 
said encryption and decryption programs. 

4. The apparatus of claim 3, wherein said seed farmer 
comprises the date and time of day at which encryption 
begins. 

5. The apparatus of claim 3, wherein said appauitns 
further comprises a counter which counts the number of 
complete encryptions and said seed further comprises said 
count of complete encryptions. 

6. The apparatus of claim 3, wherein said seed further 
comprises the length of the last portion of information 
encrypted. 

7. The apparatus of claim 2, wherein said data set is 
created by the usee 

8. The apparatus of claim 7, further comprising user 
software executing on a host computer connected to said 
ap pa r a tus by a host computer interface and said user soft- 
ware creating said data set. 

9. Hie apparatus of claim 8, further comprising user 40 
interface software adapted to allow the user to specify the 
contents of said data set to said user software. 

10. The apparatus of claim 9, wherein said user interface 
software allows the user to test the statistical probability of 
an unauthorized user deciphering said data set. 45 

11. The apparatus of claim 1, further comprising a second 
encryption processor executing in parallel to said first 
encryption processor and controlling said first encryption 
processor. 

12. The apparatus of claim 1L wherein said first encryp- so 
tion processor performs batch encryption/decryption and 
said second encryption processor performs real-time 
encryption/decryption. 

13. The apparatus of claim 1, further comprising a com- 
mnnications port for voice and data. 55 

14 The apparatus of claim 13, wherein said commnnica- 
tions port further comprises a telephone line interface and a 
handset interface. 

15. Hie apparatus of claim 14, further comprising an 
analog/digital converter connected to said communications 60 
port 

16. The apparatus of claim 13. further comprising a host 
computer interface for connecting said apparatus to a host 
computer containing the information to be encrypted and 
decrypted. 65 

17. The apparatus of claim 1, wherein the contents of said 
data set changes periodically. 
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18. The apparatus of claim 17. wherein two of said 
apparatus are connected in a network and cooperate to 
periodically, automatically change the contents of said data 
set 

19. The apparatus of claim 18, further comprising a 
network interface to a local area network. 

20. The apparatus of claim 19, wherein the network 
addresses of each of said apparatus are encrypted by one of 
said two apparatuses. 

2L The apparatus of claim 1, further coinprising an 
interface to a cellular telephone. 

22. The apparatus of claim 1. further comprising an 
interface to a car alarm system and a remote car alarm 
transmitter* 

23. The apparatus of daim 16, further comprising a relay 
switch for enabling and disabling the flow of inf carnation 
between said communications port and said host computer 
interface, said first encryption processor controlling said 
relay switch. 

24. The apparatus of claim 1, further comprising a mass 
storage device interface for transferring information 
between said apparatus and a mass storage device. 

25. The apparatu s of claim 1, wherein said apparatus 
resides on a standard expansion card for a personal com- 
puter. 

26. The apparatus of claim 1, wherein said apparatus 
resides on the motherboard of a personal oomputer. 

27. The apparatus of claim 1, further r« «npriging a non- 
volatile memory containing start-up programs. 

28. A method for performing dynamic encryption and 
decryption of information including data, voice, and 
graphics, comprising the steps of: 

in a first host computer, generating a data set whose 
contents specify the order of execution and number of 
repetitions of each member of a code set having mul- 
tiple members whose members are distinct encryption/ 
decryption codes stored in said host computer, 
loading said data set from said first host computer into an 

encryption apparatus, 
parsing said data set in said encryption apparatus, 
loading each member of said code set into said encryption 
apparatus, 

loading the information to be encrypted into said encryp- 
tion apparatus, 
executing each member of said code setm said encryption 
apparatus in the order of execution and number of 
repetitions indicated by said data set each member 
partially encrypting the information, 
notifying the first host computer at the completion of 

encryption of the information, 
moving the encrypted infexmation from said encryption 

apparatus to the first host computer, 
transmitting the contents of said data set and the members 

of said code set to a second host ccanputer, 
transmitting the encrypted information to a second 
encryption apparatus connected to said first encryption 
apparatus over a network, and said second encryption 
a pp a ratus parsing said data set, loading the members of 
said code set from said second host computer, execut- 
ing the members of said code set to^ decrypt the 
information, notifying said second host computer at the 
completion of decryption of the information, and trans- 
ferring the decrypted information to said second host 
ccanputer, 

changing the contents of said data set automatically and 
periodically at said first encryption apparatus and com- 
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numicating the rhnn ^A contents of said data set to said 
second encryption apparatus. 

29. The method of claim 28, wherein said data set 
generation step is performed without user intervention. 

30. The- method of claim 28, wherein said data set 
generation step is controlled by the user. 

31. The method of claim 28, comprising the further step 
of encrypting the network address of said second encryption 
apparatus at said first encryption apparatus, and decrypting 
the network address of said second encryption apparatus at 
said second encryption apparatus. 

32. A method for performing dynamic encryption of 
information including data, voice, and graphics at a first 
location and dynamic decryption of the information at a 
second location, comprising the steps of: 

at the first location: 

generating a data set whose contents specify the order 
of execution and number of repetitions of each 
member of a code set having multiple members, said 
members being distinct encryption/decryption codes, 

transmitting said data set and said code set to the 
second location, 

parsing said data set, 

executing each member of said code set in the order of 
execution and number of repetitions indicated by 
said data set each member encrypting the 
information, 

transmitting the encrypted information to the second 
location, and 

at the second location: 30 
receiving said data set and said code set from the first 

location* 
parsing said data set, and 

executing each member of said code set in the order of 35 
execution and number of repetitions indicated by said 
data set to decrypt the information, 

wherein the contents of said data set is automatically and 
periodically changed and the changed contents are 
transmitted from the first location to the second loca- 
tion. 

33. The method of claim 32, wherein said data set is 
randomly generated. 

34. The method of claim 32, wherein said data set is 
generated by a user. 

35. An apparatus for dynamic encryption of information 
including data, voice, and graphics, by automatic, periodic 
changes to a set of encryption programs and to the repetition 
count for each program, comprising: 

a memory containing more than one distinct encryption/ 50 
decryption program and the information to be 
encrypted and decrypted. 

a first encryption processor serially executing certain of 
said encryption/decryption programs, each encryption/ 
decryption program partially encrypting the 
information, 

a code set specifying the identities of the encryption/ 
decryption programs, and 

a data set specifying which of said encryption/decryption 
programs identified by said code set are to be executed 
by said first encryption processor, the order of execu- 
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tion of said encryption/decryption programs, and the 
number of times each encryption/decryption program is 
executed, the contents of said data set changing auto- 
matically and periodically. 

36. The apparatus of claim 35, wherein each of said 
encryption/decryption programs itself remains unmodified 
by the first encryption processor. 

37. The apparatus of claim 35, wherein said data set is 
initially randomly generated. 

38. The apparatus of claim 35, wherein said data set is 
initially created by the user. 

39. The apparatus of claim 35, wherein two of said 
apparatus are connected in a network and cooperate to 
automatically and periodically change the contents of said 
data set 

40. The apparatus of claim 39, wherein the contents of 
said data set changes at least once per minute. 

41. The apparatus of claim 6, wherein the contents of said 
data set changes with every transmission between the two 
apparatuses. 

42. A method for performing dynamic encryption of 
information including data, voice, and graphics at a first 
location and dynamic decryption of the information at a 
second location, by automatic, periodic changes to a set of 
encryption programs and to the repetition count for each 
program, cemmrising the steps of: 

at the first location: 

generating, in a first memory, a data set whose contents . 
specify the identity, order of execution, and repeti- 
tion count of members of a group of more than one 
distinct encryption/decryption programs, each 
encryption/decryption program residing in a second 
memory, 

transmitting said data set to the second location, pars- 
ing said data set, 

executing each specified encryr^on/decryption pro- 
gram in the order of execution and number of 
repetitions indicated by said data set, each 
encryption/decryption program partially encrypting 
the information, 

transmitting the encrypted information to the second 
location, 

automatically and periodically changing the contents of 
said data set at the first location and transmitting the 
changed contents of said data set to the second 
location, 
at the second location: 

receiving said data set from the first location, 

parsing said data set, and 

executing each specified encrypticWdecrYption pro- 
gram in the order of execution and number of 
repetitions indicated by said data set to decrypt the 
information, and 

automatically and periodically receiving a said data set 
whose contents have been changed at the first loca- 
tion. 

43. The method of claim 30, wherein said data set is 
initially randomly generated. 

44. The method of claim 30, wherein said data set is 
initially generated by the user. 



